[Detections & Response] RBAC - Add Detection Alerts kibana feature

[denar50]

What this Does

This PR introduces Alerts RBAC: a dedicated Kibana feature (securitySolutionAlertsV1) for controlling who can view and edit detection alerts. Alerts permissions are moved out of the Rules feature and into this new Alerts feature, so that access to alerts (viewing, updating status, assigning, tagging) can be granted independently from rules (managing detection rules):

The change is part of the broader Security Solution RBAC Epic and follows the same pattern as:

• Rules RBAC — rules-specific read/all privileges
• Exceptions RBAC — exceptions subfeatures under Rules

Summary of what moves:

Before	After
Alerts read/edit implied by Rules or legacy Security features	Alerts read/edit come from the Alerts feature (securitySolutionAlertsV1)
Update operations (status, assignees, tags) allowed with Rules read in some cases	Update requires Alerts edit (or legacy deprecated privilege for backward compatibility)

New privilege model:

• Alerts feature – Read: read_alerts (UI), alerts-read (API). View alerts, open flyouts, see tables.
• Alerts feature – All: edit_alerts (UI), alerts-all (API). All of the above plus: change status, set assignees, set tags, bulk actions.

Backward compatibility is preserved for existing roles: users with only legacy Security (siem/siemV2/siemV3/siemV4) or Rules (securitySolutionRulesV1/V2) read access still get a deprecated “update alerts” capability so they can continue to perform alert updates until roles are migrated.

Note also that, similarly to the previous PRs for this epic, this does not update the prebuilt/test roles, which will come in a subsequent PR. This means that using an existing prebuilt role will implicitly exercise the role migration path, as do the existing tests.

---

How to Review

Permissions change (high level)

• API: Alert update routes (open/close, set tags, set assignees) now require ALERTS_API_ALL or ALERTS_API_UPDATE_DEPRECATED_PRIVILEGE. Read-only alert operations require ALERTS_API_READ.
• UI: Alerts UI uses the Alerts feature’s read_alerts / edit_alerts; the capability switcher grants the deprecated update capability to legacy Security and Rules features so existing roles keep update behavior.
• New configurations to consider: You can have Rules without Alerts (manage rules, no alert access) and Alerts without Rules (view/edit alerts, no rule management). Reviewers should sanity-check both.

Testing setup

• Roles and users: As mentioned earlier, prebuilt roles can be used to examine how legacy roles will behave, and to verify backwards compatibility. However, the net new functionality/permissions can and should be tested with custom roles. Luckily, we've written some tools to assist with this.
  • First, we have a script to generate users and roles from a yaml config file. Simply run the script to add/update the users and roles referenced in the yaml file.
  • To get one started, I've prepared a yaml file with all nine permutations of the new Rules and Alerts RBAC permissions. To test a particular combination, simply log in as the user with the corresponding role. For example, to test Alerts edit without Rules access, log in as alerts-all|rules-none (password: changeme).

---

Areas of Interest

Please verify behavior in these areas with Alerts read only vs Alerts read + edit (and, if possible, Rules without Alerts and Alerts without Rules).

Alerts Page

• Dashboards: Tiles and links that show or link to alerts respect Alerts read; any edit/action from a dashboard should respect Alerts edit.
• Alerts table: Loads and shows data only when the user has Alerts read. Sorting, filtering, and column visibility should work for read users.
  • Row actions: Status, assignees, tags, and other update actions are visible/enabled only when the user has Alerts edit (or legacy update).
  • Bulk actions: Bulk status change, assignees, tags, etc. require Alerts edit; otherwise hidden or disabled.
• Alerts flyout: Opens for read users; in-flyout update actions (status, assignees, tags) only for users with Alerts edit (or legacy update).

Timeline

• Alerts shown in Timeline respect Alerts read; any in-Timeline action that updates an alert (e.g. status, assignee, tags) should require Alerts edit (or legacy update).
• Note: Timeline still requires/uses ES permissions to fetch alerts data. In the same way as Dev Tools or Discover, It is not guarded by the Alerts feature permission.

Rule Details – Alerts tab

• Alerts table on the Rule Details page follows the same rules: read-only for Alerts read; row/bulk update actions for Alerts edit (or legacy update).

Entity analytics (EA) – Risk contributions / flyout

• Any UI that shows or updates alerts in the context of EA (e.g. risk contributions, flyout) should respect Alerts read for viewing and Alerts edit for updates.

Cases

• Cases and case-attached alerts: Viewing alerts attached to a case requires Alerts read. Updating those alerts (status, assignees, tags) from the Case view should require Alerts edit (or legacy update).

Alerts Flyout

• Any users lacking the Alerts privilege attempting to view an Alerts flyout should see instead a permissions callout:

---

Checklist for Reviewers

• Confirmed Alerts read only can view alerts everywhere (Alerts page, Timeline, Rule Details, Cases, EA) but cannot perform update actions.
• Confirmed Alerts read + edit can perform status/assignee/tag updates (row and bulk) in all areas above.
• Confirmed Rules without Alerts cannot see or interact with alerts (or see appropriate empty/denied state).
• Confirmed Alerts without Rules can use the Alerts page and alert actions without rule management access.
• Confirmed legacy Security/Rules-only roles still have update capability (backward compatibility).

---

Related links

• RBAC Epic
• Rules RBAC PR
• Exceptions RBAC PR

Checklist

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
• Flaky Test Runner was used on any tests changed

[rylnd]

@elastic/response-ops FYI beyond checking the updated alerting.rule and alerting.alert privileges in the two new features, here, the one file to review is related to hiding the bulk actions UI for alerts-read users on our alerts tables.

[maximpn]

Rule Management Area changes LGTM 👍

I've smoke tested Rule Management and Alerts with the script generated users. The behavior has expect restrictions for users. It looks good to go.
The only thing to double check is Selected data view is unavailable error toast message shown to alerts-none|rules-read users.

Details on what have been tested

I tested Rule Management and Alerts parts of the functionality for the following users

• alerts-none|rules-none user
  This users can't see any SIEM UI as expected.

  

• alerts-none|rules-read user
  Got a toast error "Selected data view is unavailable". It appeared and disappeared quickly. I'm not sure if it's expected.

• alerts-none|rules-all user

• alerts-read|rules-none user
  Users may see rule and exception ids written to the alert. This seems to be expected. Anyway the rules management page is unavailable without rules permissions.

• alerts-read|rules-read user
• alerts-read|rules-all user
• alerts-all|rules-none user
• alerts-all|rules-read user
• alerts-all|rules-all user

[maximpn]

Was it a bug not taking panel.items into account?

[rylnd]

Yes, that's why I fixed it 😉 . However, it wasn't a bug prior to this branch, since there wasn't previously a user who could see the alerts table but lacked alert actions. I detailed this in 84c6d94.

[maximpn]

I wonder whether we should comment on what a security feature does. We have increasing number of security features where the boundary might be not 100% clear. There is a Google Sheet(s) describing the behavior but it lives separately. A comment could make the description clearer to the code.

WDYT?

[rylnd]

I agree. I see we already had a README; I've added dev-oriented documentation for the Security, Rules, and Alerts features in 3eed09b.

[maximpn]

Should we have tests without rules permissions?

[rylnd]

I think that in general for these tests: a "happy path" "everything gets rendered" makes sense at the top level, along with breaking out privilege-specific tests at whichever level they're handled.

There are more specific tests in child components (e.g. Header) to this one, and this particular component doesn't have any privilege-specific logic at this level, but: I did add one high level "does not render 'Manage Rules'" test in 5517d72.

[maximpn]

How should it work with #258556? Endpoint exceptions will be moved out. Do we expect to apply the same RBAC to the tab?

[rylnd]

If the user does not have access to Endpoint Exceptions, then whether/where it's been moved isn't relevant to them.

If there is some other expected behavior here, please clarify.

[cnasikas]

ResponseOps file changes LGTM! I did not review the RBAC changes.

[coderabbitai]

Caution

Review failed

The head commit changed during the review from ca54f79 to b7ef23a.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dhurley14]

Detection engine codeowners changes are straightforward and look good. I tested that the roles are migrated correctly too.

Read privileges migration

Dev tools shows no explicit alerts privileges for the security read role I created in main:

---

Here is the privilege summary for that same role when I switch to this branch, correctly showing the user role has Read for alerts, which is carried over from the Rules privilege, despite not having it explicitly in the role definition (see dev tools above) 👍 :

All privileges migration

Dev tools shows no explicit alerts privileges for the security all role I created in main:

---

Here is the privilege summary for that same role when I switched to this branch, correctly showing the user role has All for alerts, which is carried over from the Rules privilege despite not having it explicitly in the role definition (see dev tools above) 👍:

[elasticmachine]

⏳ Build in-progress

• Buildkite Build
• Commit: 3093b7b
• Cloud Deployment

History

• 💔 Build #415834 failed db369f3
• 💔 Build #415783 failed 094253d
• 💔 Build #415582 failed ca54f79
• 💛 Build #414999 was flaky 5517d72
• 💚 Build #414939 succeeded 3eed09b

cc @rylnd